Trojan:Android/GinMaster.A steals confidential information from the device and sends it to a remote website.
When detected during scanning, F-Secure SAFE will prompt you for a desired action. You may assess the detected file and choose to Uninstall, Quarantine or keep it installed on your device. More information about these options can be found at Help Center: Assess files detected during scanning.
Monitoring-Tool:Android/GinMaster.A can be uninstalled by following the steps below:
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more assistance.
Trojan:Android/GinMaster.A is a trojanized application which was first seen in the Android Market for (mainland) China by researchers from North Carolina State University. The exploit source code has been publicly available since April 2011.
It is the first malicious software to utilize a rooting exploit that targets Android 2.3.3 (Gingerbread) devices to escalate privileges on the system. Based on the author's own description of the exploit and examination of its binary, it may also work on Android 2.2 (Froyo) and 3.0 (Honeycomb) devices.
Trojan:Android/GinMaster.A's own description.
However, in the particular sample analyzed, the trojan will only run the exploit if the device version is not greater than 2.3.3 (up to Gingerbread version only).
Trojan:Android/GinMaster.A's use of the exploit may allow it to install additional applications to the device without the user's consent.
The malicious application asks for the following permissions during installation:
Permissions requested by Trojan:Android/GinMaster.A
If the user agrees with the permission requests and proceeds with installation, the application will start up a malicious service in the background. The malicious service is designed in such a way that as long as the main process is running, it will not be terminated by the operating system in the event of a device memory resources shortage.
This is how it looks like on the device in the list of running services.
Trojan:Android/GinMaster.A starts a service in the background.
The malicious service (in effect, the trojan's payload) is triggered when one of the following conditions is met:
All these malicious activities occur invisibily in the background and are performed without notifying the user or seeking consent.
While the trojanized application is running, to the user it appears to be a list of links leading to pretty images:
Some images from the trojanized application
After a few seconds, a popup message will appear that asks the user's confirmation to apply an update. If the user confirms, a new application update downloaded from the internet will be applied.
The user can choose not to confirm the update and just press the phone's back button. The trojan however still proceeds to silently download the application package and save it in the device's SD card, all without the user's consent.
Trojan:Android/GinMaster.A automatically downloads the 'update' regardless of user action (click for larger view).
If any of the trigger conditions for the malicious service is met, it immediately downloads application configuration and harvests the following confidential information from the device:
The stolen information is sent to a remote site.
The trojan also collects package information of packages installed in the system (except those with "Android" or "Google" in the package name) and stores them in its local database.
Package information of installed programs harvested and saved (click for larger view).
The trojan also collects package information for apps newly installed on or removed from the device. For this sample, a test install of Skype was used.
Package information of newly-installed program saved (click for larger view).
The collected package information is also sent to the remote site together with the abovementioned confidential information.
The malicious service then proceeds to the rooting process by first preparing the files it needs, then executing them.
The original files are suffixed with png extensions (presumably in order to mislead the user) but in fact they are ELF32 for ARM binaries and shell utility scripts.